DocumentationRelease Notes
Log In
Documentation

SMART CARD GUIDE

Suggest Edits

About smart cards and support sessions

During a support session using the representative console, a support representative may need to operate with administrative rights in order to effectively troubleshoot the remote computer. Within environments where security implementations require smart card use for authentication, Remote Support enables the representative to share a local smart card within a support session so that it can be used as an authentication source on the customer system.

To achieve this, the representative's system must have a Virtual Smart Card Representative driver installed and the customer's system must have a Virtual Smart Card Customer driver installed. The Virtual Smart Card Customer driver can either be pre-installed on the customer system or pushed to the customer system during the Jump process. For the latter, the Virtual Smart Card Customer is uninstalled when the session ends. If the Jump Client is installed, the Virtual Smart Card Customer remains installed until the Jump Client is uninstalled.

ℹ️

Note

This feature is not supported for ARM-based Windows systems.

Only the Desktop Representative Console supports sharing a smart card into a support session. The Web Rep Console does not support smart cards.

Prerequisites

To use BeyondTrust smart card support through a Jump Client:

  • The target being supported is a member of a PKI enabled Active Directory Domain.

  • The smart card being shared into the support session contains credentials that are valid within the target Active Directory Domain.

  • The representative's computer has the appropriate Remote Support Virtual Smart Card Representative installed.

  • Each supported computer has the appropriate Remote Support Virtual Smart Card Customer installed.

  • Each supported computer is running Windows 7 or newer.

  • Each supported computer must be accessible by a Remote Support Jump Client running in elevated mode.

ℹ️

Note

When Jump To is used to access the remote system, the Virtual Smart Card Customer driver does NOT have to be pre-installed.

Remote Support smart card support can be used with customer-initiated sessions when:

  • The target being supported is a member of a PKI enabled Active Directory Domain.
  • The smart card being shared into the support session contains credentials that are valid within the target Active Directory Domain.
  • The representative's computer has the appropriate Remote Support Virtual Smart Card Representative installed.
  • Each supported computer has the appropriate Remote Support Virtual Smart Card Customer installed.
  • Each supported computer is running Windows 7 or newer.

Install the smart card driver

  1. From the left menu, click Consoles & downloads > Drivers.
  2. Download the representative installation package and the customer installation package for the appropriate versions of Windows.
  3. Install the representative virtual smart card driver.
    • Distribute the representative driver installer to all representatives within your support center who require remote smart card functionality.
    • The driver can be installed manually or via a software deployment tool.
    • Once the driver is installed, it creates a service called BeyondTrust Representative Service.
  4. Install the customer virtual smart card driver. (If Jump To is used to access the remote system, the customer virtual smart card driver does NOT have to be pre-installed.)
    • Distribute the customer driver installer to all remote computers to which you will need to pass smart card credentials.
    • The driver can be installed manually or via a software deployment tool.
    • Once the driver is installed, it creates a service called BeyondTrust Customer Service.

Use a Jumpoint or Jump Client for elevated session start

When attempting to operate with the credentials on a smart card, the user is prompted to enter a PIN. This User Account Control (UAC) prompt is inaccessible to the support representative if the BeyondTrust customer client is not already running in elevated mode. It is therefore necessary to access the remote computer in one of these ways:

  • A Jump Client running as a system service
  • A Jumpoint or local network Jump, using administrative credentials

Accessing the remote computer in elevated mode allows the representative to interact with UAC prompts in order to enter the smart card PIN.

When attempting to operate with the credentials on a smart card, the user is prompted to enter a PIN. This UAC prompt is inaccessible to the support representative if the BeyondTrust customer client is not already running in elevated mode. It is therefore necessary to access the remote computer via a pre-installed Jump Client, which must be running as a system service, or through a Jumpoint or local network Jump using administrative credentials. Jumping to a remote computer via an elevated Jump allows the representative to interact with UAC prompts in order to enter the smart card PIN.

Jump Client installation

To install a Jump Client in preparation for using smart card support, you must set certain options as described below.

  1. From the /login interface of your B Series Appliance, go to Jump > Jump Clients.

  2. Configure the Jump Client settings as needed.

    • Be sure to check Attempt an Elevated Install if the Client Supports It as well as Prompt for Elevation Credentials if Needed.

  3. Click Create.

  4. From this page, you may email the Jump Client installer to one or more remote users.

  5. Alternatively, select a platform and download the Jump Client installer to your local system. You may then distribute this installer to multiple systems for manual installation, or you may distribute it via a software deployment tool.

Use a virtualized smart card

To use smart card credentials on a remote system, you must Jump to that system, or you must start a customer-initiated session with a system that has the BeyondTrust Customer Service pre-installed.

If using a Jump Client, the Jump Client must be running in service mode, or the remote system must also have the elevation service pre-installed with its service running. The virtual smart card drivers must be installed on both your local system and the remote system, with their services running.

Alternatively, a system can be accessed using the Jump To functionality from within the representative console. Using the Jump To functionality does not require the VSC Customer Service to be pre-installed on the customer's system. In this scenario, BeyondTrust installs the BeyondTrust Customer Service as part of the Jump to the end system being accessed.

ℹ️

Note

The VSC Customer Service is only installed during a Jump To push when the representative performing the Jump has the VSC Representative Service installed on their local system.

If using a customer-initiated session, the VSC Customer Service must be pre-installed on the remote computer, and its service must be running. Also, the appropriate smart card drivers must be installed on both your local system and the remote system, with their services running.

Begin a screen sharing session, and then click the Smart Card button to access a dropdown of available smart card readers on your system.

ℹ️

Note

If the Smart Card button does not appear in the screen sharing tool bar, make sure the VSC Representative Service is running on your local computer. If the Smart Card button is present but disabled, make sure the VSC Customer Service is running on the remote computer.

The smart card dropdown menu displays the name(s) of the available smart card readers and smart cards. A reader in bold text is being shared in the current active session. An icon indicates the availability of each card reader or presence of each card:

  • Black icon: Card not present
  • Blue icon: Card present
  • Gray icon: Reader/card is shared in another session

Click the reader you would like to share with the remote computer. Once the reader has been virtualized on the remote system, a message indicating that you have shared this reader is logged in the chat window. The selected reader is now available to use on the remote computer, and a smart card inserted locally is virtualized and operates as if it were physically present on the remote system being supported.

Once you have shared a reader, it remains selected and available for use throughout the session, as long as you do not log out the current user. If you do log out the current user on the remote computer, the shared reader is unshared and must be shared again if you need it later in the session.

When screen sharing, use a virtual smart card to perform administrative actions. You can run programs in another user context, or even log in as a different user.

If the virtual smart card feature is available in a session that is not elevated and a smart card reader has been shared into the session, then certificates stored on the inserted smart card can be selected and used for elevation, provided the certificates are associated with accounts that have the appropriate permissions.

ℹ️

Note

Elevation performed using this feature takes slightly longer due to the extra transactions required to the virtual smart card reader.

Elevation causes the customer client to restart in order to become elevated. The restart makes the shared reader unshared, and it must be shared again with the elevated session if it is required for use.

A smart card reader can be attached to only one active session at a time. From the Smart Card dropdown in the support session in which the reader was shared, you can deselect a virtualized reader to free it for use in another session.

This feature is not supported for ARM-based Windows systems.

Use case 1: Log in to the endpoint using smart card credentials

After Jumping to a remote computer, you may find that the computer is locked. Alternatively, you may need to perform administrative functions not permitted in the current user context.

Go to the remote login screen, logging out the current user if necessary. Click the Smart Card button and select a smart card reader to virtualize on the remote system. The smart card will now appear as a user login option.

Click the smart card user, enter the PIN, and log in.

Use case 2: Run as the smart card user

While supporting a remote computer, you may need to run a specific application with privileges not available in the current user context. Within a screen sharing session, click the Smart Card button and select a smart card reader to virtualize on the remote system. Right click the desired application and choose Run As. From the UAC prompt that appears, select the smart card and enter the PIN to run the application in the smart card user context.

ℹ️

Note

Smart card credentials cannot be used to run elevated tasks from the Special Actions menu.

Updated 5 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.